Second day of rolling blackouts starts

• Previous message (by thread): Second day of rolling blackouts starts
• Next message (by thread): Second day of rolling blackouts starts
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 09:43 19/01/01 -0500, Marshall Eubanks wrote:

>Two people have asked me off list about the RAMEN worm,
>which affects Linux Redhat distro's. Here is brief description of the
>worm, and a link to more,
>from Lucy Lynch at Internet2 / UOregon.
>
>The multicast implications :
>
>This worm scans a portion of the multicast address space. These scans 
>(packets)
>are viewed as new multicast sources by a PIM multicast enabled router,
>which encapsulates
>them and sends them to its RP. The RP creates MSDP Session Announcements
>FOR EACH SCAN
>and floods them to every RP neighbor it has in "nearby" AS's, and those
>repeat the process.
>The result is a MSDP packet storm. We have gotten 15,000 SA's a minute.
>Dealing with these
>can melt down routers. (We had to reboot a Cisco 7204, for example,
>which apparently either filled
>up or fragmented its memory beyond usability.)
>
>I think it is fair to say that the question of rate limiting and other
>DOS filtering in
>PIM/SSM/MSDP multicast is getting serious attention now.

I have installed on my multicast tunnels (one to StarTap and the other to 
Dante/Quantum):

rate-limit input access-group 180 128000 30000 30000 conform-action 
transmit exceed-action drop
!
access-list 180 permit tcp any any eq 639
access-list 180 permit udp any any eq 639
access-list 180 deny   ip any any

IANA has MSDP listed as port 639 - tcp+udp.  It appears MSDP is only really 
TCP:
mcast#sho access-l 180
Extended IP access list 180
     permit tcp any any eq 639 (1555 matches)
     permit udp any any eq 639
     deny ip any any (37888 matches)

and

mcast#sho in rate
Tunnel1 Mbone tunnel to Dante
   Input
     matches: access-group 180
       params:  128000 bps, 30000 limit, 30000 extended limit
       conformed 755 packets, 60044 bytes; action: transmit
       exceeded 0 packets, 0 bytes; action: drop
       last packet: 388ms ago, current burst: 0 bytes
       last cleared 00:07:26 ago, conformed 1000 bps, exceeded 0 bps
Tunnel2 Mbone tunnel to Startap
   Input
     matches: access-group 180
       params:  128000 bps, 30000 limit, 30000 extended limit
       conformed 909 packets, 148937 bytes; action: transmit
       exceeded 0 packets, 0 bytes; action: drop
       last packet: 1048ms ago, current burst: 0 bytes
       last cleared 00:08:48 ago, conformed 2000 bps, exceeded 0 bps

I'll only know tomorrow if I stop getting the constant:
Jan 21 14:00:03: %SYS-3-CPUHOG: Task ran for 6300 msec (123/75), process = 
MSDP Process, PC = 60790390. -Traceback= 60790398 604146B4 604146A0
error messages.  I don't know whether 128kb/sec of MSDP is too much or too 
little.

-Hank



>Marshall Eubanks
>
>
>"Lucy E. Lynch" wrote:
> >
> > a bit more info on ramen here:
> >
> > http://members.home.net/dtmartin24/ramen_worm.txt
> >
> > "And now, the contents of that ramen.tgz file: All the binaries are in the
> > archive twice, with RedHat 6.2 and RedHat 7.0 versions. Numerous binaries
> > were not stripped, which makes the job of taking them apart easier."
> >
> > asp:       An xinetd config. file that will start up the fake webserver
> >            Used on RedHat 7.0 victim machines.
> > asp62:     HTTP/0.9-compatible server that always serves out the file
> >            /tmp/ramen.tgz to any request - NOT stripped
> > asp7:      RedHat 7-compiled version - NOT stripped
> > bd62.sh:   Does the setup (installing wormserver, removing vulnerable
> >            programs, adding ftp users) for RedHat 6.2
> > bd7.sh:    Same for RedHat 7.0
> > getip.sh:  Utility script to get the main external IP address
> > hackl.sh:  Driver to read the .l file and pass addresses to lh.sh
> > hackw.sh:  Driver to read the .w file and pass addresses to wh.sh
> > index.html: HTML document text
> > l62:       LPRng format string exploit program - NOT stripped
> > l7:        Same but compiled for RedHat 7 - stripped
> > lh.sh:     Driver script to execute the LPRng exploit with several
> >            different options
> > randb62:   Picks a random class-B subnet to scan on - NOT stripped
> > randb7:    Same but compiled for RedHat 7 - NOT stripped
> > s62:       statdx exploit - NOT stripped
> > s7:        Same but compiled for RedHat 7 - stripped
> > scan.sh:   get a classB network from randb and run synscan
> > start.sh:  Replace any index.html with the one from the worm; run getip;
> >            determine if we're RedHat 6.2 or 7.0 and run the appropriate
> >            bd*.sh and start*.sh
> > start62.sh: start (backgrounded) scan.sh, hackl.sh, and hackw.sh
> > start7.sh:  Same as start62.sh
> > synscan62:  Modified synscan tool - records to .w and .l files - stripped
> > synscan7:   Same but compiled for RedHat 7 - stripped
> > w62:        venglin wu-ftpd exploit - stripped
> > w7:         Same but compiled for RedHat 7 - stripped
> > wh.sh:     Driver script to call the "s" and "w" binaries against a given
> >            target
> > wu62:      Apparently only included by mistake.  "strings" shows it to be
> >            very similar to w62; nowhere is this binary ever invoked.
> >
> > Lucy E. Lynch                           Academic User Services
> > Computing Center                        University of Oregon
> > llynch at darkwing.uoregon.edu             (541) 346-1774
> > Cell: (541) 912-7998                    5419127998 at mobile.att.net

• Previous message (by thread): Second day of rolling blackouts starts
• Next message (by thread): Second day of rolling blackouts starts
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]